macOS VPN apps outside of the App Store

App & System Services Networking
juozas
juozas OP
Created 3w
Replies 4
Boosts 0
Views 82
Participants 2

Apple is encouraging VPN apps on macOS to transition to Network Extension APIs, if they haven't done so yet, see:

Using Network Extension is fine for VPN apps that are distributed via the Mac App Store. Users get one pop-up requesting permission to add VPN configurations and that's it.

However, VPN apps that are distributed outside of the App Store (using Developer ID) cannot use Network Extension in the same way, such apps need to install a System Extension first (see TN3134: Network Extension provider deployment).

Installing a System Extension is a very poor user experience. There is a pop-up informing about a system extension, which the user has to manually enable. The main button is "OK", which only dismisses the pop-up and in such case there is little chance that the user will be able to find the correct place to enable the extension. The other button in that pop-up navigates to the correct screen in System Settings, where the user has to enable a toggle. Then there is a password prompt. Then the user has to close the System Settings and return to the app.

This whole dance is not necessary for VPN apps on the Mac App Store, because they work with "app extensions" rather than "system extensions".

As a developer of a VPN app that is distributed outside of the App Store, my options are:

  • Implement VPN functionality in an alternative way, without Network Extension. This is discouraged by Apple.
  • Use a System Extension with Network Extension. This is going to discourage my users.

I have submitted feedback to Apple: FB19631390.

But I wonder, why did Apple create this difference in the first place? Is there a chance that they will either improve the System Extension installation process or even allow "app extensions" outside of the Mac App Store?

Answered by DTS Engineer in 854085022
why did Apple create this difference in the first place?

I can’t answer why questions. For Quinn’s Top Ten DevForums Tips for more about that.

As mentioned there, my recommended path forward in cases like this is for you to file an enhancement request for the features you need. It seems like you’ve already done that (FB19631390). Thanks!

Is there a chance that they will … allow "app extensions" outside of the Mac App Store?

Keep in mind that appex-based VPN isn’t well aligned with macOS’s execution model. macOS supports multiple users simultaneously, which is a concern because VPN configurations affect the networking stack as a whole. macOS also supports running third-party code running when no user logged in, which also doesn’t gel well with the appex model.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  4
Boosts  0
Views  82
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w
Recommended
why did Apple create this difference in the first place?

I can’t answer why questions. For Quinn’s Top Ten DevForums Tips for more about that.

As mentioned there, my recommended path forward in cases like this is for you to file an enhancement request for the features you need. It seems like you’ve already done that (FB19631390). Thanks!

Is there a chance that they will … allow "app extensions" outside of the Mac App Store?

Keep in mind that appex-based VPN isn’t well aligned with macOS’s execution model. macOS supports multiple users simultaneously, which is a concern because VPN configurations affect the networking stack as a whole. macOS also supports running third-party code running when no user logged in, which also doesn’t gel well with the appex model.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
juozas
juozas OP
2w

Thanks Quinn! So it seems to me that app extensions are unlikely to be supported outside of the Mac App Store. And system extensions are more wide reaching, so they require the user's understanding of that. I suppose the best bet is to hope Apple will consider the feedback and improve the system extension installation UX.

I just had an idea, maybe the system extension installation could be part of the .pkg installer, because it can already install some other system level components. I will add this idea as a comment in that enhancement request. Or should I file a separate one?

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
2w
Or should I file a separate one?

It’s probably better to do this. Assuming that I’ve understood you properly (-:

It sounds like you want installer packages to be able to install and activate system extensions. If so, that’s a question for the installer team, as opposed to the NE team, and so a separate bug report makes sense.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
juozas
juozas OP
2w

I already received a response to the original request (FB19631390), they are not planning to make improvements on that side.

So I created a new request: FB19761610 (Package Installer: Ability to install and activate System Extensions)

I couldn't find a category specific to the Installer, so I selected the System Extensions Framework category.

0
macOS VPN apps outside of the App Store
First post date Last post date
 
 
Q